Last week, groups of congressional staffers gathered in conference rooms in the nation's capital. They were coming to hear from a representative from Symantec about the current threat landscape in cyberspace.

It's an annual event for the security software giant, one in which staffers are briefed on current and emerging threats. They, in turn, brief lawmakers who are looking for ways to "catch up" in the war in cyberspace.

As you might expect in a briefing on cybersecurity, lots of numbers were thrown out: an 81% increase in the number of malware attacks, 5.5 billion attacks blocked worldwide and some 403 million unique pieces of malware (many of them have variations of the same attack that are auto-generated) aimed at computer users around the world.

A lot of these threats are familiar to Symantec, and a big reason why they have become a powerhouse in the security industry. Protecting against old viruses and detecting new are how they make their money. Business is apparently good, with some 200,000 new pieces of malware being sent to them every week for further diagnosis.

That's one of the reasons the company staffs its security desk 24/7. It was that lucky weekend staffer who got first wind of a new threat this past Memorial Day. It was a new piece of malware sent to the company by a Hungarian researcher, a trusted partner, so it got moved a little closer to the top of the heap for scrutiny and what the researcher saw shocked him a little.

"The first thing was its size," said Kevin Haley, Symantec's director of security response, who was alerted over the holiday weekend that this virus was different – way different – than anything the company had seen. "Stuxnet was really unique because of its size, and this is about 20 times bigger than Stuxnet."

"When you start looking at it, it was clear that it was very complex. It was doing a lot to make it look like a normal program," said Haley. "There were encrypted pieces, and they had a lot of functionality, so we really started to do some serious investigating."

What they found was a series of modules. The entire virus had been pieced together like a LEGO creation, one part building on another. Things could actually be added onto the spyware after it was already on an infected computer, giving the developer enormous freedom to tinker at will.

One specific example is with a Bluetooth module, which allowed the spyware to be spread to other devices. That's just one of some 60 modules that were identified in the first week.

The hunt for further clues is expected to take months and researchers may still never know who is behind the virus. Symantec said while authors of viruses like these rarely leave a "signature" in the code, they do sometimes inject something that looks odd. In this case, researchers found multiple references to a string dubbed "Jimmy."

Other security companies have been combing through "Flame" as well, looking for clues and details about it's origins and abilities.

Microsoft announced over the weekend that it had identified a part of the code that had been signed in a way to make it look as if it had originated with the software giant.

The company also said it has issued a fix for the virus, saying in a security advisory that "the vast majority of customers are not at risk." The statement also said the company has taken steps to make sure the signature issue doesn't happen again.

Symantec said it also has a fix for the virus. Iran, which was a major target of the attack, said it has a fix, too. But the question of who launched "Flame" in the first place is a little tougher to pin down, according to Haley, who said efforts to find additional modules will continue in the coming months.

"It's an ongoing story for us."

But back to that briefing on the Hill last week. It turns out that while "Flame" is grabbing the headlines, that doesn't mean it's the most dangerous for home computer users. Some of the old favorites in attacks aimed at consumers' computers are still the most effective. According to Haley, it's those pop-up ads that tell you that your computer has already been infected.

"The two most popular ways are to send you an e-mail with an attachment, and a Web-based or drive by download that gets you to a malware website" Haley said. The attackers then try to get you to buy their "security" product, and wham! They've got you.

Another favorite way to get you is through social media websites. Attackers are so savvy that they now troll your "friends" list and generate an e-mail that looks like it's coming from you, so what friend wouldn't click on it, right? Wham. You're infected.

It doesn't exactly scream reassurance, but does give lawmakers a better grasp on just how wide-ranging the cyberlandscape is these days.

Except the Bluetooth functionality, which, I admit, is somewhat interesting, ALL of the features of this malware are present in the years-old, freely-available Poison Ivy RAT (Remote Administration Tool). Not to mention, Flame is something like 100 times as large, so in that sense at least, it's actually inferior to Poison Ivy.

The claim for potential state-sponsorship is specious, sensationalist garbage. The author of this piece would do well to discuss this malware with experts whose paychecks aren't dependent on antivirus sales. I realize that prosaic explanations don't attract readers like breathless sensationalism, but assuming that Ms Kelly has some pride in her profession, I hope she seeks out some more dispassionate perspectives next time.

At that size you can pretty much guarantee it's a government job. Who else would code that much bloat?

June 5, 2012 at 10:22 pm |

Daniel

Good article but you left out some key technical information such as the Flame virus was written in a programming language called Lua which was developed in Brazil, which is usually used for game programming, such as "Angry Birds" so if you want to be spot on, please dig a little deeper.

Since when has "not windows" mean "Macs"? There are still many alternatives to the MacOS if that's not your speed.

June 5, 2012 at 9:32 pm |

Restopo

Hmm. Sounds interesting. A virus capable of monitoring emails, taking screen shots, and recording audio. And Iran was the center of the attack. I wonder who would want to spy on Iran, and is capable of creating a "super virus"? Beats me.

Israel is our only ally in the whole mid-east. If they did infect Iran, then more power to them. How about Iran being the originator to throw suspision on the West. I hope they go down in flames.Semper Fi

Israel is our ally, or do they use the media and give millions to Congress to make us foolishly belive it that lie? Go study your history. Look up the "Lavon Affair" or the USS Liberty and see if Israel really is our ally or just using us as fools. Remember, the Talmud says it's ok for Jews to lie to, use, cheat and steal from Gentiles.

June 5, 2012 at 9:51 pm |

Cheese Wonton

You might want to find out who China's number two arms supplier is. The Israelis make a nice profit repackaging the best US military technology for sale to both Russia and China, but especially China. They have saved the Chinese many billions of dollars and at least ten years catching up to the US in technology, providing the Chinese information on US radar wave forms so they can develop effective jammers and radar warning receivers. They taught the Chinese how to write the control laws for the J-10 fighter (after General Dynamics taught the Israelis this during the Lavi development program) and they taught the Chinese how to integrate both Israeli and Russian made air to air missiles into a helmet mounted sight.
Why would Israel do this? It is very simple. They trade the only thing of value to the Chinese that they possess, US military technology, seeking to influence the Chinese not to sell their aircraft and weapons to Israels enemies in the Middle East. It would be poetic justice indeed if an Israeli strike against Iran required the IAF to fight it's way past the very J-10 fighters the Israelis helped the Chinese design, but so far every effort by Iran to buy this aircraft has been turned away. Coincidence? I think not.

I disagree Josh. The words meaning has adapted from this fishing definition. "In modern English usage, the verb troll is a fishing technique of slowly dragging a lure or baited hook from a moving boat" in order to essentially snag a fish.

Post a comment

CNN welcomes a lively and courteous discussion as long as you follow the Rules of Conduct set forth in our Terms of Service. Comments are not pre-screened before they post. You agree that anything you post may be used, along with your name and profile picture, in accordance with our Privacy Policy and the license you have granted pursuant to our Terms of Service.

Search Security Clearance

Share this blog

About this blog

CNN's Security Clearance examines national and global security, terrorism and intelligence, as well as the economic, military, political and diplomatic effects of it around the globe, with contributions from CNN's national security team in Washington and CNN journalists around the world.